mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-22 02:20:40 +00:00
8b0c0dc9fb
We call tls_rx_msg_size(skb) before doing skb->len += chunk.
So the tls_rx_msg_size() code will see old skb->len, most
likely leading to an over-read.
Worst case we will over read an entire record, next iteration
will try to trim the skb but may end up turning frag len negative
or discarding the subsequent record (since we already told TCP
we've read it during previous read but now we'll trim it out of
the skb).
Fixes:
|
||
---|---|---|
.. | ||
Kconfig | ||
Makefile | ||
tls.h | ||
tls_device.c | ||
tls_device_fallback.c | ||
tls_main.c | ||
tls_proc.c | ||
tls_strp.c | ||
tls_sw.c | ||
tls_toe.c | ||
trace.c | ||
trace.h |